go.lang.security.audit.net.pprof.pprof-debug-exposure
Verifed by r2c
Community Favorite
semgrep
Author
123,978
Download Count*
License
The profiling 'pprof' endpoint is automatically exposed on /debug/pprof. This could leak information about the server. Instead, use import "net/http/pprof"
. See https://www.farsightsecurity.com/blog/txt-record/go-remote-profiling-20161028/ for more information and mitigation.
Run Locally
Run in CI
Defintion
rules:
- id: pprof-debug-exposure
metadata:
cwe:
- "CWE-489: Active Debug Code"
owasp: A06:2017 - Security Misconfiguration
source-rule-url: https://github.com/securego/gosec#available-rules
references:
- https://www.farsightsecurity.com/blog/txt-record/go-remote-profiling-20161028/
category: security
technology:
- go
confidence: LOW
subcategory:
- audit
likelihood: LOW
impact: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Active Debug Code
message: The profiling 'pprof' endpoint is automatically exposed on
/debug/pprof. This could leak information about the server. Instead, use
`import "net/http/pprof"`. See
https://www.farsightsecurity.com/blog/txt-record/go-remote-profiling-20161028/
for more information and mitigation.
languages:
- go
severity: WARNING
patterns:
- pattern-inside: |
import _ "net/http/pprof"
...
- pattern-inside: |
func $ANY(...) {
...
}
- pattern-not-inside: |
$MUX = http.NewServeMux(...)
...
http.ListenAndServe($ADDR, $MUX)
- pattern-not: http.ListenAndServe("=~/^localhost.*/", ...)
- pattern-not: http.ListenAndServe("=~/^127[.]0[.]0[.]1.*/", ...)
- pattern: http.ListenAndServe(...)
Examples
pprof.go
package main
import (
"fmt"
"log"
"net/http"
_ "net/http/pprof"
)
func ok() {
http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
fmt.Fprintf(w, "Hello World!")
})
// ok: pprof-debug-exposure
log.Fatal(http.ListenAndServe("localhost:8080", nil))
}
func ok2() {
http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
fmt.Fprintf(w, "Hello World!")
})
// ok: pprof-debug-exposure
log.Fatal(http.ListenAndServe("127.0.0.1:8080", nil))
}
func ok3() {
http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
fmt.Fprintf(w, "Hello World!")
})
mux := http.NewServeMux()
// ok: pprof-debug-exposure
log.Fatal(http.ListenAndServe(":8080", mux))
}
func main() {
http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
fmt.Fprintf(w, "Hello World!")
})
// ruleid: pprof-debug-exposure
log.Fatal(http.ListenAndServe(":8080", nil))
}
Short Link: https://sg.run/x1Ep